.comment-link {margin-left:.6em;}


October 31, 2006

Captcha - the bug is catching

Over at Coding Horror, there's a big post up about Captcha effectiveness. I seemed to have developed an interest in these - I've discussed the issue before here and here. A Captcha is a "completely automated public Turing test to tell computers and humans apart" - one of those little images with mangled letters which you have to enter into a box on a web form.

I don't like them for a variety of reasons, including the following:

  • They're difficult to use if you're partially sighted. Some Captchas are hard to use if you're fully sighted! They're impossible if you're blind.
  • They're slightly less secure than you might think - laboratory tests can break lots of the easier ones.
  • They waste my time.

The World Wide Web Consortium even agrees with me, which makes a change.

The correspondent at Coding Horror doesn't agree with me:

Although there have been a number of CAPTCHA-defeating proof of concepts published, there is no practical evidence that these exploits are actually working in the real world. And if CAPTCHA is so thoroughly defeated, why is it still in use on virtually every major website on the internet? Google, Yahoo, Hotmail, you name it, if the site is even remotely popular, their new account forms are protected by CAPTCHAs.

Interestingly, most of the Captcha-defeating articles and papers that I have read find the Yahoo and Hotmail Captchas fiendishly difficult. I'm happy to admit that the better Captchas will defeat computer attempts at deciphering. My problem mostly comes from the idea that the better Captchas defeat humans as well.

Aside from computer recognition techniques for Captchas, he also points to some alternative ways which have been suggested as ways to defeat the tests (these originally came from the Petmail Documentation).

1. The Turing Farm

Let's say spammers set up a sweatshop to employ people to look at computer screens and answer CAPTCHA challenges. They get to send one message for each challenge passed. Assuming 10 seconds per challenge, and paying roughly $5 per hour, that represents $14 per thousand messages. A typical spam run of 1 million messages per day would cost $14,000 per day and require 116 people working 24/7.

This would break the economic model used by most current spammers. A recent Wired article showed one spammer earning $10 for each successful sale. At that rate, the cost of $14,000 for 1,000,000 spam emails requires a 1 in 1000 success rate just to break even, whereas current spammers are managing a 1 in 100,000 or even 1 in 1,000,000 sucess rate.

Now that's a fair argument. It's well-considered on economic grounds, with some reasonable assumptions and estimates. Let's consider the other option highlighted:

2. The Turing Porn Farm

A recent slashdot article described a trick in which spammers run a porn site that is gated by CAPTCHA challenges, which are actually ripped directly from Yahoo's new account creation page. The humans unwittingly solve the challenge on behalf of the spammers, who can therefore automate a process that was meant to be rate-limited to humans. This attack is simply another way of paying the workers of a Turing Farm. The economics may be infeasible because porn hosting costs money too.

That's not a well-reasoned argument. "The economics may be infeasible because porn hosting costs money too." Quite possibly, but this fact is just as true for real porn. Porn hosting costs money - yet I believe there's quite a lot of porn out there on the Internet. This remains an entirely feasible way to defeat a Captcha.


Post a Comment

Links to this post:

Create a Link

<< Home